Exemplo n.º 1
0
Arquivo: ida.py Projeto: kin9-0rz/saam
    def __init__(self, apk_path, adb_path, aapt_path, is_emulator=False):
        self.apk_path = apk_path
        self.adb_path = adb_path
        self.aapt_path = aapt_path

        self.adb_wrapper = ADB(adb_path)

        self.apk_manager = Apk_manager(self.adb_wrapper, self.adb_path,
                                       self.apk_path, self.aapt_path)

        # self.is_emulator = True if is_emulator else self.is_target_emulator()
        self.adb_server_process = None
Exemplo n.º 2
0
    def __init__(self):
        """Init adb and command.

        export CLASSPATH=/data/local/od.zip;
        app_process /system/bin org.cf.oracle.Driver
        @/data/local/od-targets.json;
        """
        self.cmd_dss_start = ['am', 'startservice',
                              'me.mikusjelly.dss/.DSService']
        self.cmd_dss_stop = ['am', 'force-stop', 'me.mikusjelly.dss']
        self.cmd_dss = ['am', 'broadcast', '-a', 'dss.start']

        self.cmd_get_finish = ['cat', '/data/local/dss_data/finish']
        self.cmd_set_finish = ['echo', 'No', '>',
                               '/data/local/dss_data/finish']
        self.cmd_set_new = ['echo', 'Yes', '>', '/data/local/dss_data/new']

        self.adb = ADB()
        self.adb.run_shell_cmd(self.cmd_set_new)
Exemplo n.º 3
0
    def __init__(self):
        """Init adb and command.
        """
        self.cmd_dss_start = ['am', 'startservice',
                              'me.mikusjelly.dss/.DSService']
        self.cmd_dss_start_foreground = ['am', ' start-foreground-service',
                              'me.mikusjelly.dss/.DSService']
        self.cmd_dss_stop = ['am', 'force-stop', 'me.mikusjelly.dss']
        self.cmd_dss = ['am', 'broadcast', '-a', 'dss.start']

        self.cmd_get_finish = ['cat', '/sdcard/dss_data/finish']
        self.cmd_set_finish = ['echo', 'No', '>',
                               '/sdcard/dss_data/finish']
        self.cmd_set_new = ['echo', 'Yes', '>', '/sdcard/dss_data/new']

        self.get_sdk_int = ['getprop', 'ro.build.version.sdk']

        self.adb = ADB()
        self.sdk_int = self.adb.run_shell_cmd(self.get_sdk_int)
        self.sdk_int = self.sdk_int.decode(encoding='utf-8').strip()
        self.sdk_int = int(self.sdk_int)

        self.adb.run_shell_cmd(self.cmd_set_new)
Exemplo n.º 4
0
Arquivo: ida.py Projeto: kin9-0rz/saam
class Android_native_debug(object):
    def __init__(self, apk_path, adb_path, aapt_path, is_emulator=False):
        self.apk_path = apk_path
        self.adb_path = adb_path
        self.aapt_path = aapt_path

        self.adb_wrapper = ADB(adb_path)

        self.apk_manager = Apk_manager(self.adb_wrapper, self.adb_path,
                                       self.apk_path, self.aapt_path)

        # self.is_emulator = True if is_emulator else self.is_target_emulator()
        self.adb_server_process = None

    def __build_command__(self, cmd):
        ret = self.adb_path + ' ' + cmd
        if sys.platform.startswith('win'):
            return ret
        else:
            ret = ret.split()

        return ret

    def install_apk(self):
        self.apk_manager.install_apk()

    def is_androidServer_exist(self):
        base_cmd = 'ls -l /data/local/tmp'
        ret = self.adb_wrapper.run_shell_cmd(base_cmd)
        if 'android_server' in ret.decode():
            print('[+] android_server is existed')
            return True

        return False

    def exec_android_server(self):
        if not self.is_androidServer_exist():
            print('android_server is not existed!')
            print(
                'Please push android_server to /data/local/tmp/android_server')
            return

        self.adb_forward()
        print('[+] exec the android_server.')
        print(
            '++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++'
        )
        # The self.run_shell_cmd call adb.shell_command function which using subprocess.popen().communicate() to exec shell cmd.
        # But if the target cmd occur a block, such as this case :),
        # then we could not continue running other cmds.
        # To avoid this situation, I use subprocess.popen and manually read the
        # stdout instead of using subprocess.popen(..).communicate()

        shell_cmd = '/data/local/tmp/android_server'
        print('--')
        self.adb_wrapper.__build_command__(shell_cmd)
        # self.adb_wrapper.run_shell_cmd(shell_cmd)
        # print('???')
        # print(self.adb_wrapper.get_output())
        cmd = self.__build_command__(' shell ' + shell_cmd)
        print(cmd)
        adb_process = subprocess.Popen(cmd,
                                       stdin=subprocess.PIPE,
                                       stdout=subprocess.PIPE,
                                       stderr=subprocess.PIPE)
        # if i use read() instead of readline, this function maybe block.
        # I don't know why~
        ret_line = adb_process.stdout.readline().decode()
        print(('[+] ' + ret_line.strip('\n')))
        print(
            '[W] Now you maybe need to wait several seconds, please be patient......'
        )
        ret_line = adb_process.stdout.readline().decode()
        print(('[+] ' + ret_line.strip('\n')))
        if ret_line.find('bind') > -1:
            print('    (Don\'t be worry, It is also working well )')

    def adb_forward(self):
        print('[+] Begin adb port forwarding......')
        cmd = 'forward tcp:23946 tcp:23946 '
        self.adb_wrapper.run_cmd(cmd)

    def get_pid_by_name(self, process_name):
        pid = ''
        ret = self.adb_wrapper.run_shell_cmd('ps')
        ret_list = ret.split('\n')  # split by '\n'
        for rl in ret_list:
            if rl.find(process_name) > -1:
                elements_list = rl.split(' ')  # split by space
                for i in range(1, len(elements_list), 1):
                    # The frist element must be 'root', so we find the send
                    # element which is not ''
                    if elements_list[i] != '':
                        pid = elements_list[i]
                        print(
                            ('[+] the pid of %s is: %s' % (process_name, pid)))
                        break

                if pid != '':
                    break

        return pid

    def kill_android_server(self):
        print('[W] Kill the android_server......')
        if self.adb_server_process is not None:
            self.adb_server_process.terminate()
        # first get the pid of android_server
        pid = self.get_pid_by_name(' /data/local/tmp/android_server')
        if pid != '':
            base_cmd = 'kill -9 %s' % pid
            self.adb_wrapper.run_shell_cmd(base_cmd)

    def exec_apk_in_debugmode(self):
        print('++++++++++++++++++++++++++++++++++++++++++++++++')
        print(('[+] Begin launch \'%s\' in debug mode......' %
               os.path.basename(self.apk_path)))
        self.apk_manager.launch_apk()
        print("[W]=== Have you attached successfully?(N or Enter):")
        cmd = str(stdin.readline())
        if cmd.find('N') > -1 or cmd.find('n') > -1:
            print('[+] Attach failed, Please try again :)')
            # kill android_server
            self.kill_android_server()
            exit(-3)
        else:
            print(
                '[W]=== Now you can open the DDMS and get the jdwp port of target process......'
            )
            print('[W]=== Please input the jdwp port of target process:   ')
            # NOTE: must strip by '\n'! Or the port will be 'xxx\n'
            port = str(stdin.readline()).strip('\n')
            self.connect_process_by_jdb(port)

    def connect_process_by_jdb(self, port):
        jdb_cmd = 'jdb -connect com.sun.jdi.SocketAttach:port=%s,hostname=localhost' % port
        print(('[+] Exec %s' % jdb_cmd))
        os.system(jdb_cmd)
Exemplo n.º 5
0
class Driver:
    def __init__(self):
        """Init adb and command.

        export CLASSPATH=/data/local/od.zip;
        app_process /system/bin org.cf.oracle.Driver
        @/data/local/od-targets.json;
        """
        self.cmd_dss_start = [
            'am', 'startservice', 'me.mikusjelly.dss/.DSService'
        ]
        self.cmd_dss_stop = ['am', 'force-stop', 'me.mikusjelly.dss']
        self.cmd_dss = ['am', 'broadcast', '-a', 'dss.start']

        self.cmd_get_finish = ['cat', '/data/local/dss_data/finish']
        self.cmd_set_finish = [
            'echo', 'No', '>', '/data/local/dss_data/finish'
        ]
        self.cmd_set_new = ['echo', 'Yes', '>', '/data/local/dss_data/new']

        self.adb = ADB()
        self.adb.run_shell_cmd(self.cmd_set_new)

    def start_dss(self):
        self.adb.run_shell_cmd(self.cmd_dss_start)

    def stop_dss(self):
        self.adb.run_shell_cmd(self.cmd_dss_stop)

    def push_to_dss(self, apk_path):
        self.adb.run_cmd(['push', apk_path, DSS_APK_PATH])

    def decode(self, targets):
        '''
        推送解密配置到手机/模拟器,让DSS读取解密配置。
        '''
        self.adb.run_cmd(['push', targets, DSS_TARGETS_PATH])
        self.adb.run_shell_cmd(self.cmd_set_finish)
        self.adb.run_shell_cmd(self.cmd_dss)

        self.start_dss()

        import time
        counter = 0
        while 1:
            time.sleep(3)
            counter += 3
            self.adb.run_shell_cmd(self.cmd_get_finish)
            output = self.adb.get_output().decode('utf-8', errors='ignore')
            if 'Yes' in output:
                break

            if counter > 120:
                print("Time out")
                self.stop_dss()
                return

        tempdir = tempfile.gettempdir()
        output_path = os.path.join(tempdir, 'output.json')
        self.adb.run_cmd(['pull', DSS_OUTPUT_PATH, output_path])

        if not os.path.exists(output_path):
            print('Could not pull the file {}'.format(output_path))
            self.stop_dss()
            return

        with open(output_path, mode='r+', encoding='utf-8') as ofile:
            size = len(ofile.read())
            if not size:
                self.adb.run_cmd(['pull', DSS_EXCEPTION_PATH, 'exception.txt'])
                self.adb.run_shell_cmd(['rm', DSS_EXCEPTION_PATH])
            else:
                ofile.seek(0)
                result = json.load(ofile)

        if not get_value('DEBUG_MODE'):
            self.adb.run_shell_cmd(['rm', DSS_OUTPUT_PATH])
            self.adb.run_shell_cmd(['rm', DSS_TARGETS_PATH])
        else:
            self.adb.run_shell_cmd(['pull', DSS_TARGETS_PATH])
        os.unlink(output_path)

        self.stop_dss()

        return result